I need to renew the SSL certification for my Linux mail server (Zimbra)

Did you run it with something like export PATH=$PATH:/root; certbot-auto, or ./certbot-auto, or /root/certbot-auto, or some other way?

I run “bash certbot-auto” from root.
it’s not working without bash

In this case you should try to run it as ./certbot-auto instead of bash certbot-auto. Programs in the current directory are not in your PATH by default and so you need to specify what directory they’re in, such as the current directory (.).

perfect.

it asked me to run as “./certbot-auto certonly” and now I have two options:

1: Spin up a temperoray webserver (Standalone)
2: Place files in webroot directory (webroot)

as I want this cert for my mailserver not the webserver which option should I choose?

Is there a webserver running on port 80 on the same machine as the mail server? If so, use webroot; if not, standalone.

If you choose webroot you’ll need to know what directory the webserver serves its files from.

no, it’s just mailserver

In that case you should choose the standalone option (1).

EDIT: reading back, it might also be worth trying:

./certbot-auto renew

to see if it can just find your existing settings from when you got the original cert and renew it based on the same settings.

I tried ./certbot-auto renew but it failed:

No renewals were attempted.
additionally, the following renewal configuration files were invalid:

/etc/letsencrypt/reneal/mailserver.mydomain.ca-0001.conf (parsefail)
/etc/letsencrypt/reneal/mailserver.mydomain.ca-0002.conf (parsefail)
/etc/letsencrypt/reneal/mailserver.mydomain.ca.conf (parsefail)

it seems the mailserver.mydomain.ca.conf is broken.

then I run ./certbot-auto certonly and after I choose the first option and entered my mailserver address mailserver.maydomain.ca, this is what I got:

Performing the following challenges:
tls-sni-01 challenge for mailserver.mydomain.ca
cleaning up challenges
problem binding to port 443: could not bind to IPv4 or IPv6

Hmm, do you have something else running on port 443?

Maybe try this, which should use port 80:

./certbot-auto certonly --standalone --preferred-challenges http

Are you sure you don’t have a webserver on this machine?

It might be worth having a look at the renewal configuration files too, to see if we can figure out why they couldn’t be parsed.

no there is no webserver on this machine.

you mean mailserver.mydomain.ca-0002.conf file?

Yes, well all three of them really, it’s surprising that any of them would fail to parse.

this is the inside of the file:

So when you said “mailserver” you actually meant Zimbra, right?

yes the mailserver is Zimbra

how did you find it’s Zimbra? :smiley:

But Zimbra includes a webserver too, so that's probably what's taking up port 443.

Sorry but I'm not familiar with Zimbra. Their wiki gives some advice but it seems a little deficient: it describes an old way of installing certbot and doesn't seem to explain how to set up auto-renewal. I guess it would be something like... you would need to put all the steps that happen before and after the certbot command into two scripts, and pass them to the --pre-hook and --post-hook options. Then you would set up a cron job or systemd timer to run /path/to/certbot-auto renew twice a day.

Or you could just follow the whole procedure manually if you don't mind repeating it every few months...

Your screenshot and username provided enough clues to find your old cert in https://crt.sh :wink:

I don't see anything obviously wrong with the file btw, so I still don't know why it's not parsing.

I think Java is listening to port 443. could that be the reason?

That’s probably the reason Certbot isn’t working, yes. I believe some versions of Zimbra use Jetty, a Java webserver.

Oooooh, and I bet I know why certbot is failing to parse the files too. If the person who set up the certificate originally followed the instructions in that wiki … they might have concatenated the Identrust root to the chain.pem file, and when certbot tries to parse it, it notices that the cert+chain no longer matches the fullchain and bails out.

What version of Zimbra are you using? If you don’t know, it looks like it can be found by typing zmcontrol -v

it’s version 8.5.0_GA_3042.FOSS

Okay, so … I’m trusting the wiki here as I’m not a Zimbra user myself …

The general procedure will be something along the lines of:

  1. Stop Zimbra
  2. Get your certificate
  3. Install the certificate
  4. Restart Zimbra

The wiki provides instructions on how to complete each of these steps, individually, manually.

Ideally, you want automated renewals. The way this would work is: you run a certbot command and pass it some options to run other commands before and after it tries to obtain your certificate. Then it will remember those commands and automatically run them again when it renews.

I don’t use Zimbra and I haven’t tested this procedure so try it out at your own risk. If you’re not comfortable with that then stick with the wiki I guess.

First you need the root certificate (you shouldn’t really need this but apparently it’s a quirk of Zimbra that it’s required). The link in the wiki seems stale but you can download it from crt.sh by running this command:

curl https://crt.sh/?d=8395 -o /root/identrust.pem

Next, the process to install the certificate is quite complicated so create a script for it. Create a file named, say, /root/zimbra-deploy.sh and add the following contents to it:

#!/bin/bash -e

# Combine the intermediate and root certificates as required by Zimbra:
cat "$RENEWED_LINEAGE/chain.pem" /root/identrust.pem > "$RENEWED_LINEAGE/zimbrachain.pem"

# Backup the existing cert:
cp -a /opt/zimbra/ssl/zimbra "/opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")"

# Copy the private key to the required location:
umask 037
cp "$RENEWED_LINEAGE/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key

# Deploy the certificate to Zimbra:
/opt/zimbra/bin/zmcertmgr deploycrt comm "$RENEWED_LINEAGE/cert.pem" "$RENEWED_LINEAGE/zimbrachain.pem"

Save the file, then make it executable with chmod +x /root/zimbra-deploy.sh

Now everything should be ready to run Certbot:

./certbot-auto certonly --standalone -d mailserver.yourdomain.ca --pre-hook "zmproxyctl stop; zmmailboxdctl stop" --post-hook "zmcontrol restart" --deploy-hook /root/zimbra-deploy.sh

Remember to change mailserver.yourdomain.ca to your actual domain :wink:

If that all works, you can then set up a cron job to run /root/certbot-auto -q renew twice a day. It will do nothing until your cert is 30 days from expiry, then it will run those hook commands again to stop Zimbra, renew your cert, install it, and restart.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.